Rob Wright provides us with details on what businesses should be doing now to prepare for the General Data Protection Regulation.
Following on from our last issue we provided some things that businesses should be doing to comply with GDPR. We look at more points that businesses should be doing to prepare for GDPR.
Here are some things businesses should be doing now to prepare for the new regulations.
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children – in the UK this will probably be defined as anyone under 13 – then you will need a parent or guardian’s consent in order to process their personal data lawfully. This could have significant implications if your business aims services at children and collects their personal data. Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.
2. Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them within your business. PIA assessments are carried out to identify and reduce privacy risks when completing a project. This is only required in high-risk situations. The purpose of the PIA is to ensure that privacy risks are minimised while allowing the aims of the project to be met whenever possible, this would include changes to IT systems
or new IT equipment. This assessment is to be completed prior to any changes and ensure that it is documented.
3. Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.
4. Access Requests
You should make sure you have the right procedures in place to detect, report and investigate a personal data
Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the GDPR will bring in a breach notification duty across the board. This will be new to many organisations. Not all breaches will have to be notified to the ICO – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.
You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach. In some cases you will have to notify the individuals whose data has been subject to the breach directly, for example where the breach might leave them open to financial loss. Larger organisations will need to develop policies and procedures for managing data breaches – whether at a central or local level. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
If your business operates internationally, you should determine which data protection supervisory authority you come under.
The GDPR contains quite complex arrangements for working out which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example where a data processing operation affects people in a number of Member States. Put simply, the lead authority is determined according to where your organisation has its main
administration or where decisions about data processing are made.
If you have any queries at all we would recommend contacting the ICO directly who will be able to answer any of your questions.
Source: ICO – Information